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Abstract 

The Universal Composability model (UC) by Canetti (FOCS 2001) allows for secure composition 
of arbitrary protocols. We present a quantum version of the UC model which enjoys the same 
compositionality guarantees. We prove that in this model statistically secure oblivious transfer 
protocols can be constructed from commitments. Furthermore, we show that every statistically 
classically UC secure protocol is also statistically quantum UC secure. Such implications are not 
known for other quantum security definitions. As a corollary we get that quantum UC secure 
protocols for general multi-party computation can be constructed from commitments. 
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1 Introduction 



Since the inception of quantum key distribution by Bennett and Brassard [BB84] , it has been known 
that quantum communication permits to achieve protocol tasks that are impossible given only a 
classical channel. For example, a quantum key distribution scheme [BB84| permits to agree on 
a secret key that is statistically secret, using only an authenticated but not secret channel. (By 
statistical security we mean security against computationally unbounded adversaries, also known as 
information-theoretical security.) In contrast, when using only classical communication, it is easy 
to see that such a secret key can always be extracted by a computationally sufficiently powerful 
adversary. Similarly, based on an idea by Wiesner jWie83j , Bennett, Brassard, Crepeau, and 
Skubiszewska [BBCS91] presented a protocol that was supposed to construct an statistically secure 
oblivious transiffpTotocol from a commitment, another feat that is easily seen to be impossible 
classically!! Oblivious transfer, on the other hand, has been recognized by Kilian [Kil88j to securely 
evaluate arbitrary functions. Unfortunately, the protocol of Bennett et al. could, at the time, not 
be proven secure, and the first complete proof of (a variant of) that protocol was given almost two 
decades later by Damgard, Fehr, Lunemann, Salvail, and Schaffner [DF L + 09aj . 

Yet, although the oblivious transfer protocol satisfies the intuitive secrecy requirements of obliv- 
ious transfer, in certain cases the protocol might lose its security when used in a larger context. In 
other words, there are limitations on how the protocol can be composed. For example, no security 
guarantee is given when several instances of the protocol are executed concurrently (see ISection 1.51 
for a more detailed explanations of the various restrictions). 

The problem of composability has been intensively studied by the classical cryptography com- 
munity (here and in the following, we use the word classical as opposed to quantum). To deal with 
this problem in a general way, Canetti [CanOlj introduced the notion of Universal Composabil- 
ity, short UC (Pfitzmann and Waidner [PWOlj independently introduced the equivalent Reactive 
Simulatability framework). The UC framework allows to express the security of a multitude of 
protocol tasks in a unified way, and any UC-secure protocol automatically enjoys strong compos- 
ability guarantees (so-called universal composability). In particular, such a protocol can be run 
concurrently with others, and it can be used as a subprotocol of other protocols in a general way. 
Ben-Or and Mayers [BOM04J and Unruh [Unr04| have shown that the idea of UC-security can be 
easily adapted to the quantum setting and have independently presented quantum variants of the 
UC notion. These notions enjoy the same strong compositionality guarantees. Shortly afterwards, 
Ben-Or, Horodecki, Leung, Mayers, and Oppenheim [BOHL+05] showed that many quantum key 
distribution protocols are quantum-UC-secure. 

Our contribution. In this work, we use the UC framework to show the existence of a statistically 
secure and universally composable oblivious transfer protocol that uses only a commitment scheme. 
Towards this goal, we first present a new definition of quantum-UC-security. In our opinion, our 
notion is technically simpler than the notions of Ben-Or and Mayers [BOM04] and Unruh |Unr04] . 

In an oblivious transfer protocol, Alice holds two bitstrings mo, mi, and Bob a bit c. Bob is supposed to get m c 
but not mi_ c , and Alice should not learn c. 

2 We remark that, on the other hand, Mayers |May97| shows that also in the quantum case, constructing an sta- 
tistically secure commitment scheme without any additional assumption is impossible. However, under additional 
assumptions like in the quantum bounded storage model by Damgard, Fehr, Salvail, and Schaffner DFSS05 , statis- 
tically secure bit commitment is possible. Scc lScction l,4l for a discussion of the implications of Mayers' impossibility 
result for our result. 
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We believe that this may also help to increase the popularity of this notion in the quantum cryp- 
tography community and to show the potential for using UC-security in the design of quantum 
protocols. Second, we show that a variant of the protocol by Bennett et at. [BBCS91] is indeed 
a UC-secure oblivious transfer protocol. By composing this protocol with a UC-secure protocol 
for general multi-party computations by Ishai, Prabhakaran, and Sahai [IPS08], we get UC-secure 
protocols for general multi-party computations using only commitments and a quantum channel - 
this is easily seen to be impossible in a purely classical setting. 

1.1 Quantum Universal Composability ( quant um-UC) 

We begin by giving an overview over the UC framework. The basic idea behind the UC framework 
is to define security by comparison. Given a certain protocol task, say to implement a secure 
message transfer, we first specify a machine, called the ideal functionality J- that, by definition, 
fulfills this protocol task securely. E.g., In the case of a secure message transfer, this functionality 
would take a value x from Alice and give this value to Bob. All communication between parties and 
the functionality is done over secure channels. Obviously, this functionality T does exactly what 
we expect from a secure message transfer. Then, we define what it means for a protocol ir to be a 
secure implementation of T . Intuitively, we require that ir is no less secure than T . In other words, 
anything the adversary can do in an execution of ir, the adversary could also do in an execution 
using T . (And in particular, since T is secure by definition, the adversary then cannot perform 
any successful attacks on ir either.) This requirement is formally captured by requiring that for 
any adversary Adv, there is another adversary Sim, the simulator, such that an execution of ir with 
Adv (called the real model) is indistinguishable from an execution of T with Sim (called the ideal 
model). And indistinguishability in turn is modeled by requiring that no machine Z, called the 
environment, can guess whether it is interacting with the real model or with the ideal model. More 
precisely: 

Definition 1 ((Classical) Universal Composability — informal) We say it classical-UC- 
emulates T if for any adversary Adv there is a simulator Sim such that for all environments 
Z we have that the difference between the following probabilities is negligible: The probability that 
Z outputs 1 in an execution of Z, Adv, and it, and the probability that Z outputs 1 in an execution 
of Z, Sim, and T . (We assume that Z can freely communicate with the adversary /simulator.) 

In the example of a secure message transfer functionality T , the functionality would require its 
inputs x from Z and then send x back to Z. In a secure message transfer protocol it, that is, in a 
protocol it classical-UC-emulating Alice would than have to take the input x from Z, and Bob 
would have to output x to Z (otherwise Z could trivially distinguish the real and the ideal model). 
All communication send between Alice and Bob over insecure channels, however, would be under 
the control of the adversary. Thus everything the adversary learns from that communication, the 
simulator would have to be able to produce on its own; in particular, the adversary cannot derive 
x from that communication since the simulator could not simulate that knowledge (in the ideal 
model, the simulator cannot get x). This captures the intuitive requirement that a secure message 
transfer protocol should not reveal the message to the adversary. In a similar way, other properties 
like the authenticity of the message can be derived from the UC definition. 

The UC definition comes in many flavors. For example, in computational classical UC-security 
we restrict the adversary, simulator, and environment to polynomial-time machines. This variant 



3 



is used if we want to show security based on computational assumptions. In statistical classical 
UC, on the other hand, we quantify over all (possibly unbounded) adversaries, simulators, and 
environments. This variant is used to model statistical security. 

Besides providing a unified way to model the security of various protocol tasks by specifying 
the ideal functionality, the UC framework allows for very general composition of protocols. Assume 
a protocol cr^ that uses a functionality T as a building block. That is, in the real model, has 
access to a functionality J- that performs a certain task in a fully trusted way. (We say, runs in 
the ^"-hybrid model.) Assume that classical-UC-emulates some other functionality Q and that 
we are given a protocol it that classical-UC-emulates T . Then the so-called universal composition 
theorem states that a 77 , the protocol resulting from using the subprotocol it instead of J 7 , also 
classical-UC-emulates Q. This even holds if invokes many instances of T concurrently. Such a 
composition theorem is very useful for proving the security of larger protocols in a modular way: 
One first abstracts away a subprotocol (here ir) by replacing it by some functionality (here J-), 
leading to a simpler protocol in the .F- hybrid model that is more amenable to analysis. Then 
the protocol n is analyzed separately. It should be noted that it was shown by Lindell |Lin0 3j| that 
no security notion weaker than (a particular variant of) classical UC can have such a composition 
theorem. 

To get a variant of the UC notion suitable for modeling quantum cryptography, we only need 
to slightly modify the definition: Instead of quantifying over classical adversaries, simulators, and 
environment, we quantify over quantum adversaries, simulators, and environment. That is, the 
protocol parties, the adversary, the simulator, and the environment are allowed to store, send, and 
compute with quantum states. (And in the computational variant of quantum-UC-security, we 
additionally restrict adversaries, simulators, and environment to be restricted to polynomial-time 
quantum computations.) Since, in a sense, we only change the machine model, most structural 
theorems about UC-security, in particular the universal composition theorem, still hold for quantum- 
UC-security; their proofs are almost identical in the classical and in the quantum setting. We present 
our model of quantum-UC in ISection "21 and give a universal composition theorem for that model. 

1.2 UC-secure quantum oblivious transfer 

The oblivious transfer (OT) protocol used in this paper is essentially the same a the protocol pro- 
posed by Damgard et al. [DFL + 09aj which in turn is based on a protocol by Bennett et al. [BBCS91j . 
The basic idea of the protocol is that Alice encodes a random sequence x of bits as a quantum state, 
each bit randomly either in the computational basis or in the diagonal basisH Then Bob is supposed 
to measure all bits, this time in random bases of his choosing. Then Alice sends the bases she used 
to Bob. Let 1= denote the indices of the bits X{ where Alice and Bob chose the same basis, and 1^ 
the indices of the bits where Alice and Bob chose different bases. Assume that Bob wants to receive 
the message m c out of Alice's messages mo, mi. Then Bob sets I c := 1= and I\- c := and sends 
(Io,Ii) to Alice. Alice will not know which of these two sets is which and hence does not learn c. 
Bob will know the bits Xi at indices i € I c . But even a dishonest Bob, assuming that he measured 
the whole quantum state, will not know the bits at indices I\- c since he used the wrong bases for 
these bits. Thus Alice uses the bits at Iq to mask her message mo, and the bits at I\ to mask 

3 If we were to use photons for transmission, in the computational basis we might encode the bit as a vertically 
polarized photon and the bits 1 as a horizontally polarized photon. In the diagonal basis we might encode the bit 
as a 45°-polarized photon, and the bit 1 as a 135°-polarized photon. 
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her message mi. Then Bob can recover m c but not m\- c . (To deal with the fact that a malicious 
Bob might have partial knowledge about the bits at I\- c , we use so-called privacy amplification to 
extract a near uniformly mask from these bits.) 

The problem with this analysis is that we have assumed that a malicious Bob measures the 
whole quantum state upon reception. But instead, Bob could store the quantum state until he 
learns the bases that Alice used, and then use these bases to measure all bits X{ accurately. Hence, 
we need to force a dishonest Bob to measure all bits before Alice sends the bases. The idea of 
Bennett et al. [BBCS91] is to introduce the following test: Bob has to commit to the bases he 
used and to his measurement outcomes. Then Alice picks a random subset of the bits, and Bob 
opens the commitments on his bases and outcomes corresponding to this subset of bits. Alice then 
checks whether Bob's measurement outcomes are consistent with what Alice sent. If Bob does not 
measure enough bits, then he will commit to the wrong values in many of the commitments, and 
there will be a high probability that Alice detects this. 

It was a long-standing open problem what kind of a commitment needs to be used in order for 
this protocol to be secure. Damgard et al. |DFL + 09aj give criteria for the commitment scheme under 
which the OT protocol can be proven to have so-called stand-alone security; stand-alone security, 
however, does not give as powerful compositionality guarantees as UC-security (cf. ISection 1.51 
below). In order to achieve UC-security, we assume that the commitment is given as an ideal 
functionality. Then we have to show UC-security in the case of a corrupted Alice, and UC-security 
in the case of a corrupted Bob. The case of a corrupted Alice is simple, as one can easily see that 
no information flows from Bob to Alice (the commitment functionality does, by definition, not leak 
any information about the committed values). The case of a corrupted Bob is more complex and 
requires a careful analysis about the amount of information that Bob can retrieve about Alice's 
bits. Such an analysis has already been performed by Damgard et al. |DFL + 09a in their setting. 
Fortunately, we do not need to repeat the analysis. We show that that under certain special 
conditions, stand-alone security already implies UC-security. Since in the case of a corrupted Bob, 
these conditions are fulfilled, we get the security in the case of a corrupted Bob as a corollary from 
the work by Damgard et al. [ DFL + 09a 



In ISection 5l we show that the OT protocol by Damgard et al. [DFL + 09 aj , when using an ideal 
functionality for the commitment, is statistically quantum-UC-secure. Furthermore, the universal 
composition theorem guarantees that we can replace the commitment functionality by any quantum- 
UC-secure commitment protocol. 



1.3 Quantum lifting and multi-party computation 

We are now equipped with a statistically quantum-UC-secure OT protocol vtqot in the commitment- 
hybrid model. As noted first by Kilian [Kil88j, OT can be used for securely evaluating arbitrary 
functions, short, OT is complete for multi-party computation. Furthermore, Ishai, Prabhakaran, 
and Sahai [IPS08J showed that for any functionality Q (even interactive functionalities that proceed 
in several rounds), there is a classical protocol p^ OT in the OT-hybrid model that statistically 
classical-UC-emulates Q. Thus, to get a protocol for Q in the commitment-hybrid model, we simply 
replace all invocations to J-ot by invocations of the subprotocol 7Tqot> resulting in a protocol 
p7TQ T_ "\y e then expect that the security of p n Q OT follows directly using the universal composition 
theorem (in its quantum variant). There is, however, one difficulty: To show that p^Q 01, statistically 
quantum-UC-emulates Q, the universal composition theorem requires that the following premises 
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are fulfilled: 7tqot statistically quantum-UC-emulates .FoT) an d p OT statistically quantum-UC- 
emulates Q. But from the result of Ishai et al. [IPS08] we only have that p^ ^ statistically classical- 
UC-emulates Q. Hence, we first have to show that the same result also holds with respect to 
quantum-UC-security. Fortunately, we do not have to revisit the proof of Ishai et al., because we 
show the following general fact: 

Theorem 2 (Quantum lifting theorem — informal) If the protocols tt and p are classical pro- 
tocols, and ir statistically classical-UC- emulates p, then and tt statistically quantum-UC-emulates p. 

Combining this theorem with the universal composition theorem, we immediately get that p v Q° T 
statistically quantum-UC-emulates Q. In other words, any multi-party computation can be per- 
formed securely using only a commitment and a quantum-channel. In contrast, we show that in 
the classical setting a commitment is not even sufficient to compute the AND-function. 

We stress that a property like the quantum lifting theorem should not be taken for granted. 
For example, for the so-called stand-alone model as considered by Fehr and Schaffner [FS09], no 
corresponding property is known. A special case of security in the stand-alone model is the zero- 
knowledge property: The question whether protocols that are statistical zero-knowledge with re- 
spect to classical adversaries are also zero-knowledge with respect to quantum adversaries has been 
answered positively by Watrous [Wat06j for particular protocols, but is still open in the general 
case. 

1.4 How to interpret our result 

We show that we can perform arbitrary statistically UC-secure multi-party computations, given 
a quantum channel and a commitment. However, Mayers |May97| has shown that, even in the 
quantum setting, statistically secure commitment schemes do not exist, not even with respect to 
security notions much weaker than quantum-UC-security. In the light of this result, the reader may 
wonder whether our result is not vacuous. To illustrate why our result is useful even in the light of 
Mayers' impossibility result, we present four possible application scenarios. 

Weaker computational assumptions. The first application of our result would be to combine 
our protocols with a commitment scheme that is only computationally quantum-UC-secure. Of 
course, the resulting multi-party computation protocol would then not be statistically secure any 
more. However, since commitment intuitively seems to be a simpler task than oblivious transfer, 
constructing a computationally quantum-UC-secure commitment scheme might be possible using 
simpler computational assumptions, and our result then implies that the same computational as- 
sumptions can be used for general multi-party computation. 

Physical setup. One might seek a direct physical implementation of a commitment, such as 
a locked strongbox (or an equivalent but technologically more advanced construct). With our 
result, such a physical implementation would be sufficient for general multi-party computation. 
In contrast, in a classical setting one would be forced to try to find physical implementations of 
OT. It seems that a commitment might be a simpler physical assumption than OT (or at least an 
incomparable one). So our result reduces the necessary assumptions when implementing general 
multi-party computation protocols based on physical assumptions. Also, Kent [Ken99] proposes to 
build commitments based on the fact that the speed of light is bounded. Although it is not clear 
whether his schemes are UC-secure (and in particular, how to model his physical assumptions in 
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the UC framework), his ideas might lead to a UC-secure commitment scheme that then, using our 
result, gives general UC-secure multi-party computation based on the limitation of the speed of 
light. 

Theoretical separation. Our result can also be seen from the purely theoretical point of view. It 
gives a separation between the quantum and the classical setting by showing that in the quantum 
setting, commitment is complete for general statistically secure multi-party computation, while 
in the classical world it is not. Such separations - even without practical applications - may 
increase our understanding of the relationship between the classical and the quantum setting and 
are therefore arguably interesting in their own right. 

Long-term security. Miiller-Quade and Unruh |MQU07b] introduce the concept of long-term UC- 
security. In a nutshell, long-term UC-security is a strengthening of computational UC-security that 
guarantees that a protocol stays secure even if the adversary gets unlimited computational power 
after the protocol execution. This captures the fact that, while we might confidently judge today's 
technology, we cannot easily make predictions about which computational problems will be hard 
in the future. Miiller-Quade and Unruh show that (classically) long-term UC-secure commitment 
protocols exist given certain practical infrastructure assumptions, so-called signature cards. It is, 
however, likely that their results cannot be extended to achieve general multi-party computation. 
Our result, on the other hand, might allow to overcome this limitation: Assume that we show that 
the commitment protocol of Miiller-Quade and Unruh is also secure in a quantum variant of long- 
term UC-security. Then we could compose that commitment protocol with the protocols presented 
here, leading to long-term UC-secure general multi-party protocols from signature cards. 

1.5 Compositionality restrictions in prior work 

Above, we claimed that the results of prior work on commitment schemes in the quantum setting 
have limitations concerning their composability guarantees. We will now briefly explain in which 
cases composition is possible in prior models, and what the restrictions are. All prior results giving 
some kind of composability guarantee work in the some variant of the so-called stand-alone model. 
The basic idea of the stand-alone model is similar to that of the UC model: We specify a protocol 
it and an ideal functionality T, and we say that tt implements T in the stand-alone model if for 
every adversary Adv attacking tt (real model), there is a simulator Sim attacking T (ideal model), 
so that the real and the ideal model are indistinguishable. But in contrast to the UC model, 
indistinguishability of the real and the ideal model is not defined with respect to an environment 
that tries to guess which model it is interacting with. Instead, given fixed inputs for all honest 
parties, we require that the output of the honest parties and of the adversary (considered as a 
joint quantum state) is indistinguishable from the output of the functionality and of the simulator 
(considered as a joint quantum state). The notion of indistinguishability of quantum states is then 
defined depending of the flavor of the stand-alone model. Security in the stand-alone model is 
strictly weaker than security in the UC model: the UC environment may introduce additional 
dependencies between the messages send in the protocol and the protocol inputs/outputs. For 
example, the environment could give a message that has been sent over an insecure channel by 
Bob as initial protocol input to Alice. Such dependencies are explicitly excluded in the stand-alone 
model. 

In the classical case, it has been shown by Canetti [CanOOj that the stand-alone model allows for 
sequential composition. Sequential composition means that we are allowed to run several protocols 
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or several instances of one protocol one after the other without loosing security, but we are not 
allowed to run them concurrently or interleave the protocol steps (as can easily happen if the 
protocol parties are not careful about their synchronization). Similar results have been obtained 
in the quantum case by Wehner and Wullschleger [WW08] and by Fehr and Schaffner [FS09J for 
different variants of the quantum stand-alone model. 

There are two main flavors of the quantum stand-alone model: Statistical and computational 
security. In the first case, adversary and simulator are allowed to be unlimited, and in the second 
case, adversary and simulator are computationally bounded. Note that when defined like this, sta- 
tistical stand-alone security does not imply computational stand-alone security because statistical 
stand-alone security does not guarantee that the simulator corresponding to a computationally 
bounded adversary is also computationally bounded. The effect of this is slightly paradoxical: one 
can compose statistically secure protocols with each other, and one can compose computationally 
secure protocols with each other, but no guarantees are given if one composes a computationally 
secure protocol with a statistically secure protocol. 

We note that the problems arising from an unlimited simulator can be avoided by simply 
strengthening the statistical stand-alone model and requiring that the simulator is computationally 
bounded if the adversary is. This is the approach we also take in our modeling of statistical 
quantum-UC-security. 

The protocols analyzed by Wehner and Wullschleger [WW08] and Fehr and Schaffner [FS09J 
are proven secure in (different variants of) the statistical stand-alone model. Furthermore, the 
simulator they construct does not run in polynomial time, therefore their results do not imply 
computational stand-alone security and the difficulties outlined above apply. 

The situation concerning the OT protocol analyzed by Damgard, Fehr, Lunemann, Salvail, and 



Schaffner [DFL + 09aj is even more subtle. They prove that in the case of a corrupted recipient Bob, 
their protocol is secure in the computational stand-alone model. Furthermore, for a corrupted sender 
Alice, the protocol is secure in the statistical stand-alone model with non-polynomial-time simulator. 
Thus, the protocol can be composed sequentially with other protocols that are computationally 
secure for corrupted Bob and statistically secure for corrupted Alice; yet it cannot be composed with 
protocols which are statistically secure for corrupted Bob and computationally secure for corrupted 
Alice. In particular, the OT protocol cannot be composed with another instance of itself where Bob 
is the sender. The full version |DFL+09bl Section 5] of their paper describes an extension of the 
underlying commitment scheme which enables the construction of an efficient simulator. With such 
an extension, sequential composition of their OT protocol with computationally secure protocols is 
possible. 

In all three papers, when composing classical and quantum protocols, it is necessary that even 
the classical protocols are proven secure with respect to a definition involving quantum adversaries. 
A result like our quantum lifting theorem ([Theorem 2j) is an open problem in the stand-alone 
model. 



1.6 Related work 



Security models. General quantum security models based on the stand-alone model have first 
been proposed by van de Graaf [vdG98j . His model comes without a composition theorem. The 
notion has been refined by Wehner and Wullschleger }WW08| and by Fehr and Schaffner [FS09J 
who also prove sequential composition theorems. Quantum security models in the style of the UC 
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model have been proposed by Ben-Or and Mayers (BOHL + 05j and by Unruh |Unr04j . The original 
idea behind the UC framework in the classical setting was independently discovered by Canetti 
[CanOlj and by Pfitzmann and Waidner [PWOlJ (the notion is called Reactive Simulatability in the 
latter paper). 

Quantum protocols. The idea of using quantum communication for cryptographic purposes 
seems to originate from Wiesner [Wie83j. The idea gained widespread recognition with the BB84 
quantum key-exchange protocol by Bennett and Brassard [B~B84j . A statistically hiding and binding 
commitment scheme was proposed by Brassard, Crepeau, Jozsa, and Langlois [BCJL93] . Unfortu- 
nately, the scheme was later found to be insecure; in fact, Mayers |May97| showed that statistically 
hiding and binding quantum commitments are impossible without using additional assumptions. 
Kent [Ken99j circumvents this impossibility result by proposing a statistically hiding and binding 
commitment scheme that is based on the limitation of the speed of light. Bennett, Brassard, Cre- 
peau, and Skubiszewska [BBCS91J present a protocol for statistically secure oblivious transfer in 
the quantum setting. They prove their protocol secure under the assumption that the adversary 
cannot store qubits and measures each qubit individually. They also sketch an extension that uses 
a commitment scheme to make their OT protocol secure against adversaries that can store and 
compute on quantum states. The protocol analyzed in the present paper is, in its basic idea, that 
extension. Yao |Yao95j gave a partial proof of the extended OT protocol. His proof, however, 
is incomplete and refers to a future complete paper which, to the best of our knowledge, never 
appeared. As far as we know, the first complete proof of a variant of that OT protocol has been 
given by Damgard, Fehr, Lunemann, Salvail, and Schaffner [DF L + 09a| : their protocol is secure in 
the stand-alone model. Hofheinz and Miiller-Quade |HMQ03| conjectured that the extended OT 
protocol by Bennett et al. [BBCS91] is indeed UC-secure; in the present paper we prove this claim. 
Damgard, Fehr, Salvail, and Schaffner [DFSS05J have presented OT and commitment protocols 
which are statistically secure under the assumption that the adversary has a bounded quantum 
storage capacity. 

Classical vs. quantum security. To the best of our knowledge, van de Graaf [vdG98] was the first 
to notice that even statistically secure classical protocols are not necessarily secure in a quantum 
setting. The reason is that the powerful technique of rewinding the adversary is not available in the 
quantum setting. Watrous [Wat06j showed that in particular technique similar to classical 

rewinding can be used. He uses this technique to construct quantum zero-knowledge proofs. No 
general technique relating classical and quantum security is known; to the best of our knowledge, 
our quantum lifting theorem is the first such result (although restricted to the statistical UC model). 

Miscellaneous. Kilian [Kil88j first noted that OT is complete for general multi-party computation. 
Ishai, Prabhakaran, and Sahai [IPS08J prove that this also holds in the UC setting. Computationally 
secure UC commitment schemes have been presented by Canetti and Fischlin [CFOlj . 

1.7 Preliminaries 

General. A nonnegative function // is called negligible if for all c > and all sufficiently large k, 
fi(k) < k~ c . A nonnegative function / is called overwhelming if / > 1 — // for some negligible \i. 
Keywords in typewriter font (e.g., environment) are assumed to be fixed but arbitrary, distinct 
non-empty words in {0, 1}* . e € {0, 1}* denotes the empty word. Given a sequence x = x\, . . . , x n , 
and a set I C {1, . . . , n}, x\j denote the sequence x restricted to the indices i 6T. 
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Quantum systems. We can only give a few terse overview over the formalism used in quantum 
computing. For a thorough introduction, we recommend the textbook by Nielsen and Chuang 
[NCOCH Chap. 1-2]. A (pure) state in a quantum system is described by a vector \ip) in some 
Hilbert space TL. In this work, we only use Hilbert spaces of the form TL = <C N for some countable 
set N, usually N = {0, 1} for qubits or N = {0, 1}* for bitstrings. We always assume a designated 
orthonormal basis {\x) : x G N} for each Hilbert space, called the computational basis. The 
basis states \x) represent classical states (i.e., states without superposition). Given several separate 
subsystems TL\ = C^ 1 , . . . , TL n = <C Nn , we describe the joint system by the tensor product TLi ® 
• • • <8> TL n = <C NlX "' xNn . We write (^| for the linear transformation mapping |$) to the scalar 
product ( 1 I / | < 1 ) ). Consequently, |^ / )(^'| denotes the orthogonal projector on |\E'). We set |0) + := |0), 
|1)+ := |1), |0) x := -^(|0) + |1)), and |l) x := -^(|0) - For x G {0, 1}™ and 6 G {+, x}» we 
define \x) 9 := \xi) dl (g> • • • <g> \x n ) dn . 

Mixed states. If a system is not in a single pure state, but instead is in the pure state G TL 
with probability pi (i.e., it is in a mixed state), we describe the system by a density operator 
p = Pi\^f i) (^f i\ over TL. This representation contains all physically observable information about 
the distribution of states, but some distributions are not distinguishable by any measurement and 
are represented by the same mixed state. The set of all density operators is the set of all positiv^l 
operators TL with trace 1, and is denoted V(TC). Composed systems are descibed by operators 
in V(TL\ ® • • • (g> 7i n ). In the following, when speaking about (quantum) states, we always mean 
mixed states in the density operator representation. A mapping £ : ViTLi) — > V(J-L%) represents a 
physically possible operation (realizable by a sequence of unitary transformations, measurements, 
and initializations and removals of qubits) iff it is a completely positive trace preserving mapO 
We call such mappings superoperators. The superoperator £™ it on V(TL) with TL := C^ 0,1 ^ and 
m G {0, 1}* is defined by £^ it (p) := \m)(m\ for all p. 

Composed systems. Given a superoperator £ on V(TCi), the superoperator £ ® id operates 
on V(TL\ (8) Ti-i)- Instead of saying "we apply £ ® id", we say "we apply £ to Ti\ . If we say 
"we initialize TL with m", we mean "we apply £™ it to TL". Given a state p G V{TL\ <8> TC2), let 
p x := (|x)(x| (8> id)p(\x){x\ <g) id). Then the outcome of measuring TL\ in the computational basis 
is x with probability trp^, and after measuring x, the quantum state is Since we will only 

performs measurements in the computational basis in this work, we will omit the qualification "in 
the computational basis". The terminology in this paragraph generalizes to systems composed of 
more than two subsystems. 

Classical states. Classical probability distributions P : N — > [0, 1] over a countable set N 
are represented by density operators p G V(<C N ) with p = J2x<=N P(x)\x)(x\ where {\x)} is the 
computational basis. We call a state classical if it is of this form. We thus have a canonical 
isomorphism between the classical states over and the probability distributions over N. We call 
a superoperator £ : T^C^ 1 ) — > T^C^ 2 ) classical iff if there is a randomized function F : Ni — > N2 

such that £(p) = X^eiVi Pr[F(x) = y] • (x\p\x) ■ \y)(y\. Classical superoperators describe what 

y eN 2 

can be realized with classical computations. An example of a classical superoperator on V(<C N ) is 
£dass '■ P l— ¥ Y1x( x \p\ x ) ' \ x )( x \- Intuitively, £ c i ass measures p in the computational basis and then 

4 We call an operator positive if it is Hermitean and has only nonnegative Eigenvalues. 

5 A map £ is completely positive iff for all Hilbert spaces TL' , and all positive operators p over TLi ®TC , (£ id)(p) 
is positive. 
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discards the outcome, thus removing all superpositions from p. 

2 Quantum Universal Composability 

We no w present our quantum-UC-framework. For a motivation of the model, we refer to Sec- 
tion 1.1. 



Machine model. A machine M is described by an identity idu m {0, 1}* and a sequence of 
superoperators 8$ ( k G N) on H state <g) H class ® ft?"- 1 ™* with n state ,H class ,W uant := CK ' 1 *" (the 
state transition operators). The index fc in <fj^ denotes the security parameter. The Hilbert space 
Instate represents the state kept by the machine between invocations, and H class and Hi uant are 
used both for incoming and outgoing messages. Any message consists of a classical part stored in 
<y[ciass anc j a q Uan t um p ar t stored in J{i uant . if a machine id sen der wishes to send a message with 
classical part m and quantum part 1*1/) to a machine id rcp t, the machine id sen der initializes Ji class 
with (id sender > id rcpti 171 ) an d 'H'i uant with |^). (See the definition of the network execution below 
for details.) The separation of messages into a classical and a quantum part is for clarity only, all 
information could also be encoded directly in a single register. If a machine does not wish to send 
a message, it initializes T~l class and Ji ( i uant with e. 

A network N is a set of machines with pairwise distinct identities containing a machine Z with 
idz = environment. We write idss for the set of the identities of the machines in N. 

We call a machine M quantum-polynomial-time if there is a uniform^ sequence of quantum 

(k) 

circuits such that for all k, the circuit implements the superoperator £ M . 

Network execution. The state space H N for a network N is defined as H N := H class <g> H quant <g> 
®ideids N n id ate with nf d ate ,n class ,H quant ■.= <C^\ Here Hf d ate represents the local state of the 
machine with identity id and T-[ class and Jii uant represent the state spaces used for communication. 
(j-[ class a nd Jii uant are shared between all machines. Since only one machine is active at a time, no 
conflicts occur.) 

(k) 

A step in the execution of N is defined by a superoperator £ := £^ operating on Wn- This 
superoperator performs the following steps: First, £ measures H class in the computational basis, 
and parses the outcome as (id sen ,i er , id rcp t,m). Let M be the machine in N with identity id rcp t- 

Then £ applies £ { ^ to 7if d ate <g> H class <g> H quant . Then £ measures H dass and parses the outcome 
as (id' sender , id' rcpt ,m'). If the outcome could not be parsed, or if id' sender ^ id rcp t, initialize Ji class 
with (e, environment, e) and f{i uant with e. (This ensures that the environment is activated if a 
machine sends no or an ill- formed message.) 

The output of the network N on input z and security parameter k is described by the following 
algorithm: Let p G 'P(Wn) be the state that is initialized to (e, environment, z) in H class j and 

(k) 

to the empty word e in all other registers. Then repeat the following indefinitely: Apply £^ to 
p. Measure T-C class . If the outcome is of the form (environment, e, out), return out and terminate. 
Otherwise, continue the loop. The probability distribution of the return value out is denoted by 
Exec]\f(&, z). 



6 A sequence of circuits Ck is uniform if a deterministic Turing machine can output the description of Ck in time 
polynomial in k. 
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Corruptions. To model corruptions, we introduce corruption parties, special machines that follow 
the instructions given by the adversary. When invoked, the corruption party PQ with identity id 
measures H class and parses the outcome as (id sen d er , id rcp t,m). If id sen d er = adversary, H class 
is initialized with m. (In this case, m specifies both the message and the sender /recipient. Thus 
the adversary can instruct a corruption party to send to arbitrary recipients.) Otherwise, 7-C class is 
initialized with (id, adversary, (id sen der, id rcp t, m)). (The message is forwarded to the adversary.) 
Note that, since P£ does not touch the r r{i uant ; the quantum part of the message is forwarded. 

Given a network N, and a set of identities C, we write N c for the set resulting from replacing 
each machine MeN with identity id € C by P£. 

Security model. A protocol tt is a set of machines with environment, adversary ^ ids(w). We 
assume a set of identities parties^ C ids(n) to be associated with tt. parties^ denotes which of the 
machines in the protocol are actually protocol parties (as opposed to incorruptible entities such as 
ideal functionalities). 

An environment is a machine with identity environment, an adversary or a simulator is a 
machine with identity adversary (there is no formal distinction between adversaries and simulators, 
the two terms refer to different intended roles of a machine). 

In the following we call two networks indistinguishable if there is a negligible function p such 
that for all z € {0,1}* and k € N, \Pi[Exec N (k, z) = 1] - Pr[Exec M (k, z) = 1]| < p,(k). We speak 
of perfect indistinguishability if p = 0. 

Definition 3 (Statistical quantum-UC-security) Let protocols tt and p be given. We say tt 
statistically quantum-UC-emulates p iff for every set C C parties^ and for every adversary Adv 
there is a simulator Sim such that for every environment Z, the networks tt U {Adv, Z} ( called 
the real model) and p c U {Sim, Z} (called the ideal model) are indistinguishable. We furthermore 
require that if Adv is quantum-polynomial-time, so is Sim. 

Definition 4 (Computational quantum-UC-security) Let protocols tt and p be given. We say 
tt computationally quantum-UC-emulates p iff for every set C C parties^ and for every quantum- 
polynomial-time adversary Adv there is a quantum-polynomial-time simulator Sim such that for 
every quantum-polynomial-time environment Z, the networks 7r c 'u{Adv, Z} and / o c 'u{Sim, Z} are 
indistinguishable. 

Note that although Exec 7r c U {Adv,.z}(^> z ) m ay return arbitrary bitstrings, we only compare whether 
the return value of Z is 1 or not. This effectively restricts Z to returning a single bit. This can be 
done without loss of generality (see [CanOlj for a discussion this issue; their arguments also apply 
to the quantum case) and simplifies the definition. 

In our framework, any communication between two parties is perfectly secure since the network 
model guarantees that they are delivered to the right party and not leaked to the adversary. To 
model a protocol with insecure channels instead, one would explicitly instruct the protocol parties 
to send all messages through the adversary. Authenticated channels can be realized by introducing 
an ideal functionality (see the next section) that realizes an authenticated channel. For simplicity, 
we only consider protocols with secure channels in this work. 

2.1 Ideal functionalities 

In most cases, the behavior of the ideal model is described by a single machine T , the so-called ideal 
functionality. We can think of this functionality as a trusted third party that perfectly implements 
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the desired protocol behavior. For example, the functionality Tot for oblivious transfer would take 
as input from Alice two bitstrings mo, mi, and from Bob a bit c, and send to Bob the bitstring 
m c . Obviously, such a functionality constitutes a secure oblivious transfer. We can thus define 
a protocol it to be a secure OT protocol if tt quantum-UC-emulates Tot where ^ot denotes 
the protocol consisting only of one machine, the functionality Tot itself. There is, however, one 
technical difficulty here. In the real protocol ir, the bitstring m c is sent to the environment Z by 
Bob, while in a the ideal model, m c is sent by the functionality. Since every message is tagged 
with the sender of that message, Z can distinguish between the real and the ideal model merely 
by looking at the sender of m c . To solve this issue, we need to ensure that T sends the message 
m c in the name of Bob (and for analogous reasons, that T receives messages sent by Z to Alice 
or Bob). To achieve this, we use so-called dummy-parties [CanOl] in the ideal model. These are 
parties with the identities of Alice and Bob that just forward messages between the functionality 
and the environment. 

Definition 5 (Dummy-party) Let a machine P and a functionality T be given. The dummy- 
party P for P and T is a machine that has the same identity as P and has the following state 
transition operator: Let idjr be the identity of T. When activated, measure H class . If the outcome 
of the measurement is of the form (environment, idp, m), initialize TC class with {idp,id^,m). If 
the outcome is of the form {idp, idp, m), initialize 7i class with {idp, environment, m). In all cases, 
the quantum communication register is not modified (i.e., the message in that register is forwarded) . 

Note the strong analogy to the corruption parties ( |page 12|) . 

Thus, if we write ir quantum-UC-emulates T, we mean that it quantum-UC-emulates pp where 
Pp consists of the functionality T and the dummy-parties corresponding to the parties in ir. More 
precisely: 

Definition 6 Let tv be a protocol and T be a functionality. We say that ir statisti- 
cally/computationally quantum-UC-emulates T if vr statistically /computationally quantum-UC- 
emulates pp where p? := {P : P € parties v } U {T}. 

For more discussion of dummy-parties and functionalities, see [CanOlj . 

Using the concept of an ideal functionality, we can specify a range of protocol tasks by simply 
defining the corresponding functionality. Below, we give the definitions of various functionalities. 
All these functionalities are classical, we therefore do not explicitly describe when the registers 
j^dass anc j -j^quant are measured / initialized but instead describe the functionality in terms of the 
messages sent and received. 

Definition 7 (Commitment) Let A and B be two parties. The functionality Tqq^^ behaves as 
follows: Upon (the first) input (commit, x) with x E {0, from B, send committed to A. Upon 

input open from B send (open, x) to A. All communication/ input /output is classical. 
We call B the sender and A the recipient. 

Definition 8 (Oblivious transfer (OT)) Let A and B be two parties. The functionality Tq^ B ' 
behaves as follows: When receiving input (sq, s\) from A with sq, s% & {0, and c E {0, 1} from 

B, send s := s c to B. All communication/input/output is classical. 



7 We used A as the sender in the description of the OT functionality, and as the recipient in the description of 
the commitment functionality. We do so to simplify notation later; our protocol for OT from A to B will use a 
commitment from B to A. 



We call A the sender and B the 
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Definition 9 (Randomized oblivious transfer (ROT)) Let A and B be two parties. The 
functionality Frqt ' behaves as follows: If A is uncorrupted, when receiving input c € {0, 1} from 
B, choose sq,s\ € {0,1}^) uniformly and send (so> s i) to A and s := s c to B. If A is corrupted, 
when receiving input (sq, s%) from A with sq, si € {0, and c € {0, 1} from B, send s := s c to 

B. All communication/input/ output is classical. 

2.2 Elementary properties of UC-security 

Lemma 10 (Reflexivity, transitivity) Let n, p, and a be protocols. Then n quantum-UC- 
emulates tt. If n quantum- UC- emulates p and p quantum- UC- emulates a, then tt quantum- UC- 
emulates a. 

This holds both for statistical and computational quantum- UC-security. 

Proof. We first consider the case of statistical quantum-UC-security. 

For any adversary Adv and any set C, with Sim := Adv, we have that tt c U {Adv, Z} and n c U 
{Sim, Z} are equal and hence perfectly indistinguishable for all Z. If Adv is quantum-polynomial- 
time, so is Sim = Adv. Thus tt quantum-UC-emulates p. 

Assume that tt quantum-UC-emulates p and p quantum-UC-emulates a. Fix an adversary Adv 
and a set C. Then there is a simulator Sim such that for all -Z, tt c U {Adv, Z} and p c U {Sim, Z} 
are indistinguishable. Furthermore, for the adversary Adv' := Sim, there is a simulator Sim' such 
that p c U {Sim,Z} = p c U {Adv',Z} and a c U {Sim', 2} are indistinguishable for all Z. Since 
indistinguishability is transitive, tt c U {Adv, Z} and a c U {Sim',iJ} are indistinguishable for all 
Z. Finally, if Adv is quantum-polynomial-time, so is Adv' = Sim, and thus also Sim'. Thus n 
quantum-UC-emulates a. 

In the case of computational quantum-UC-security, the proof is identical, except that we quan- 
tify over quantum-polynomial-time Adv and Z. □ 

Dummy- adversary. In the definition of UC-security, we have three entities interacting with 
the protocol: the adversary, the simulator, and the environment. Both the adversary and the 
environment are all-quantified, hence we would expect that they do, in some sense, work together. 
This intuition is backed by the following fact which was first noted by Canetti [CanQlj: Without 
loss of generality, we can assume an adversary that is completely controlled by the environment. 
This so-called dummy-adversary only forwards messages between the environment and the protocol. 
The actual attack is then executed by the environment. 

Definition 11 (Dummy-adversary Adv dummy) When activated, the dummy- adversary 
Advdummy measures ?{ class ■ call the outcome m. If m is of the form (environment, adversary, 
m'), initialize T-i dass with m! . Otherwise initialize 7-[ class with (adversary, environment, m). In 
all cases, the quantum communication register is not modified (i.e., the message in that register is 
forwarded). 



Note the strong analogy to the dummy-parties (jDefinition 5|) and the corruption parties (page 12) 



Lemma 12 (Completeness of the dummy-adversary) Assume that tt quantum-UC- 
emulates p with respect to the dummy-adversary (i.e., instead of quantifying over all adversaries 
Adv, we fix Adv := Adv^ ummyy ). Then tt quantum-UC-emulates p. 

This holds both for statistical and computational quantum- U C-security. 
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Figure 1: Completeness of the dummy-adversary: proof steps 



Proof. We first consider the case of statistical quantum-UC-security. 

Assume that ir statistically quantum-UC-emulates p with respect to the dummy-adversary. Fix 
an adversary Adv. We have to show that there exists a simulator Sim such that for all environments 
Z we have that ir U {Adv, Z} and p U {Sim, Z} are indistinguishable. Furthermore, if Adv is 
quantum-polynomial-time, Sim has to be quantum-polynomial-time, too. 

For a given environment Z, we construct an environment -2<Adv that is supposed to interact with 
Adv dummy and internally simulates Z and Adv, and that routes all messages sent by the simulated 
Adv to 7T through Advdummy and vice versa. Then ir U {Adv, Z} and ir U {Adv,i UTOm2/ , i?Adv} are 
perfectly indistinguishable. (Cf. networks (i) and (il) in |Figure 1[ ) Since ir statistically quantum- 
UC-emulates p with respect to the dummy-adversary, we have that ir U {Adv dummy, ^Adv} arid 
pL) {Sim',^Adv} ar e indistinguishable for some Sim' and all Z. (Cf. networks (il) and (ill)-) Since 
Adv dummy ls quantum-polynomial-time, so is Sim'. We construct a machine Sim that internally 
simulates Sim' and Adv (network (IV*)). Then pU {Sim', Z\^ v } and pU {Sim, Z} are perfectly indis- 
tinguishable. Summarizing, 7rU{Adv, Z} and pU{Sim, Z} are indistinguishable for all environments 
Z. Furthermore, since Sim' is quantum-polynomial-time, we have that Sim is quantum-polynomial- 
time if Adv is. This concludes the proof in the case of statistical quantum-UC-security. 

The proof in the case of computational quantum-UC-security is identical, except that we con- 
sider only quantum-polynomial-time Adv and Z, and thus have that Z^ v , Sim', and Sim are 
quantum-polynomial-time. □ 



2.3 Universal composition 

For some protocol a, and some protocol ir, by cr n we denote the protocol where a invokes (up to 
polynomially many) instances of ir. That is, in cr*" the machines from a and from ir run together 
in one network, and the machines from a access the inputs and outputs of ir. (That is, a plays 
the role of the environment from the point of view of ir. In particular, Z then talks only to a 
and not to the subprotocol ir directly.) A typical situation would be that cr^ is some protocol that 
makes use of some ideal functionality say a commitment functionality, and then a n would be the 
protocol resulting from implementing that functionality with some protocol ir, say a commitment 
protocol. (We say that is a protocol in the T- hybrid model.) One would hope that such an 
implementation results in a secure protocol cr n . That is, we hope that if ir quantum-UC-emulates T 
and quantum-UC-emulates Q, then a w quantum-UC-emulates Q. Fortunately, this is the case: 

Theorem 13 (Universal Composition Theorem) Let ir, p, and a be quantum-polynomial- 
time protocols. Assume that ir quantum-UC-emulates p. Then c 71 " quantum-UC-emulates a p . 
This holds both for statistical and computational quantum-UC-security. 
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Figure 2: Networks occurring in the proof sketch of lTheorem 131 Network (i) represents the real 
model, (il) the ideal model, and (ill) the hybrid case. To avoid cluttering, in (ill), the connections 
to 7Tj_i, Sim^ +1 , and pi + \ have been omitted. 



If we additionally have that a quantum-UC-emulates G, from the transitivity of quantum-UC- 
emulation (ILemma 1Q|) . it immediately follows that a n quantum-UC-emulates Q. 

The compositionality guarantee given by ITheorem 131 is often called universal composability. 
One should not confuse universal composability with UC-security. Although UC security implies 
universal composability, it has been shown by Hofheinz and Unruh [HU051 IHU061 IUnr06| that - in 
the classical setting at least - universal composability is a strictly weaker notion than UC security. 

Proof of \Theorem 1S\ . We first show [Theorem 13l for the case of computational quantum-UC- 
security. Thus, our goal is to prove that under the assumptions of lTheorem 131 cr 77 computationally 
quantum-UC-emulates a p . Since a is quantum-polynomial-time, a invokes at most a polynomial 
number n of instances of its subprotocol tt or p. Since ir quantum-UC-emulates p, there is a quantum- 
polynomial-time simulator Sim' such that for all environments Z we have that tt U {Adv dummy, Z} 
and pU {Sim',Z} are indistinguishable. In the following, we call Sim' the dummy-simulator. 

Let a quantum-polynomial-time adversary Adv be given (that is supposed to attack c 71 "). We con- 
struct a simulator Sim that internally simulates the adversary Adv and n instances Siuq , . . . , Sim n 
of the dummy-simulator Sim'. The simulated adversary Adv is connected to the environment and 
to the protocol a, but all messages between Adv and the i-th instance 7Tj of tt are routed through 
the dummy-simulator-instance Sim^ (which is then supposed to transform these messages into a 
form suitable for instances of p). The simulator Sim is depicted by the dashed box in network (il) 
in 



Figure 2 



We have to show that for any environment Z we have that a n U {Adv, Z} and a p U {Sim, Z} are 
indistinguishable, i.e., that the output of Z in the networks (i) and (il) in |Figure 2| is statistically 
indistinguishable. 

For this, we construct a hybrid environment Z a ^. (It is depicted as the dashed box in network 
(ill) in Figure 2"} ) This environment simulates the machines Z, Adv, the protocol a, instances 
7ri, . . . , vr.t_i of the real protocol n, and instances Sim^ +1 , . . . , Sim' n and Pi+i, ■ ■ ■ , p n of the dummy- 
simulator Sim' and the ideal protocol p, respectively. The communication between Z, Adv, and a is 
directly forwarded by Z a ^ . Communication between Adv and the j-th protocol instance is forwarded 
as follows: If j < i, the communication is simply forwarded to TTj. If j > i, the communication 
is routed through the corresponding dummy-simulator Sim^ (which is then supposed to transform 
these messages into a form suitable for pi). And finally, if j = i, the communication is passed to 
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the adversary/simulator outside of Z a ^. Communication between a and the instances of tt or p is 
directly forwarded. 

We will now show that there is a negligible function \i such that |Pr[Exec 7rU /Ad V(famm j,,.Z CT z ) = 
1] — PrfExeCpujgin/^ .}(£;, z) = 1]| < p{k) for any security parameter k and any i = l,...,n. 
For this, construct an environment Z a which expects as its initial input a pair (i,z), and then 
runs Z a> i with input z. Since tt U {Advrf„ mmy , Z} and /? U {Sim',iJ} are indistinguishable for 
all quantum-polynomial-time environments Z, there exists a negligible function /i such that the 
difference of Pr[Exe C7TU{AdvdummyM {k, z) = 1] = Pr[Exec wU{Ad v d „,,£ CT }(^ (», z )) = 1] and 
Pr[Exec pU{W)2;<7j . } (A;,z) = 1] = Pr[Exec pU{Sim / j2(T }(A;, (i, z)) = 1] is boun ded by p( k) for all i,k,z. 

The game Exec 7rU ^ AdvdnmmyZrT z ) is depicted as network (ill) in |Figure~2| (except that we 
denoted the external copy of tt with tti). Observe that Exec pU { Sim / Zg ^(i;, z) (note the changed 
index contains the same machines as ^^c w u{Adv dumm ,z a 4 } (&i z ) (when unfolding the simulation 
performed by Z a ^ into individual machines) up to the fact that the communication with the i-th 
instance of it is routed through the dummy-adversary Adv dummy ■ However, the latter just forwards 
messages, so it U {Adv dummy , Z a ^i\ and pU {Sim', Z a ^ + i} are perfectly indistinguishable. 

Using the triangle inequality, it follows that |Pr[Exec 7rU{A dv Aimm!/ ,.z (T ,„}(M) = 1] - 
Pr[Exec pU |g im ' z a i}(^> z ) = 1]| i s bounded by n ■ p{k) which is negligible. Moreover, 
Exec nU [ Advdummy}Z!rn y(k,z) and E^ec a ^ u{AdVjZ} (k, z) describe the same game (up to unfold- 
ing of simulated submachines and up to one instance of the dummy-adversary). Similarly, 
Exec pU { Sim ' Za ± y(k, z) and Exec -p U {si mj 2}(^ 5 z ) describe the same game (up to unfolding of simu- 
lated submachines). Thus |Pr[Exec (T 7r U |Adv,2}(^) z ) = 1] — P r [E xec o-pu{Sim,.z}(^> z ) = 1] is negligible 
and thus o" 71 " U {Adv, Z} and a p U {Sim, Z} are indistinguishable. Furthermore, since Adv and Sim' 
are quantum-polynomial-time, so is Sim. 

Since this holds for all Z, and the construction of Sim does not depend on Z, we have that a 11 
computationally quantum-UC-emulates a p . 

The case of statistical quantum-UC-security is shown analogously, except that Adv and Z may 
be unbounded, and Sim is only quantum-polynomial-time if Adv is. □ 

3 Relating classical and quantum-UC 

We call a machine classical if its state transition operator is classical. A protocol is classical if all 
its machines are classical. 

Using this definition we can reformulate the definition of statistical classical UC in our frame- 
work. 

Definition 14 (Statistical classical-UC-security) Let protocols tt and p be given. We say it 
statistically classical-UC-emulates p iff for every set C C parties w and for every classical adversary 
Adv there is a classical simulator Sim such that for every classical environment Z, tt U {Adv, Z} 
and p c U {Sim, Z} are indistinguishable. We furthermore require that if Adv is probabilistic- 
polynomial-time, so is Sim. 

Note that classical statistical UC is essentially the same as the notion of statistical UC-security 
defined by Canetti [CanOlj FI Thus, known results for statistical UC-security carry over to the 
setting of IDcfinition 141 

8 Details such as the machine model and message scheduling are defined differently, of course. But since these 
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The next theorem guarantees that if a classical protocol is statistically classical UC-secure, then 
it is also statistically quantum-UC-secure. This allows, e.g., to first prove the security of a protocol 
in the (usually much simpler) classical setting, and then to compose it with quantum protocols 
using the universal composition theorem (ITheorem 131) . 

Theorem 15 (Quantum lifting theorem) Let ir and p be classical protocols. Assume that ir 
statistically classical-UC- emulates p. Then ir statistically quantum- UC- emulates p. 

Proof. Given a machine M, let C(M) denote the machine which behaves like M, but measures 
incoming messages in the computational basis before processing them, and measures outgoing 
messages in the computational basis. More precisely, the superoperator £^? M \ first invokes £ c iass 

on 7i class <8> U quan \ then invokes on H state ® H dass <8> H quan \ and then again invokes £ dass 
on Ji class ® 7Y9 uani . Since it is possible to simulate quantum Turing machines on classical Turing 
machines (with an exponential overhead), for every machine M, there exists a classical machine M' 
such that C(M) and M' are perfectly indistinguishable!! 

We define the classical dummy-adversary Adv^J^ to be the classical machine that is defined 
like Adv dummy ([Definition llj) . except that in each invocation, it first measures U class , U quant , and 
f{ state in the computational basis (i.e., it applies £ c iass 

to u state ®H class ®H quant ) and then proceeds 
as does Adv dummy Note that Adv c d l ^ my is probabilistic-polynomial-time. 

By ILemma 12\ we only need to show that for any set C of corrupted parties, there exists 
a quantum-polynomial-time machine Sim such that for every machine Z the real model 7T U 
{Z, Adv dummy} and the ideal model p c U {Z, Sim} are indistinguishable. 

The protocol 7r is classical, thus 7r c is classical, too, and thus all messages forwarded by 
Adv dummy from 7r to Z have been measured in the computational basis by ir c , and all messages for- 
warded by Adv dummy from Z to tt c will be measured by ir c before being used. Thus, if Adv would 
additionally measure all messages it forwards in the computational basis, the view of Z would not be 
modified. More formally, ir c U {Z, Adv dummy} and tt c U {Z, Adv c J^ my } are perfectly indistinguish- 
able. Furthermore, since both tt c and Adv c J^ my measure all messages upon sending and receiving, 
tt c U{Z, Adv ^mmy} an d ^° U {C{Z) , Advj^f } are perfectly indistinguishable. Since it is possible 
to simulate quantum machines on classical machines (with an exponential overhead), there exists a 
classical machine Z' that is perfectly indistinguishable from C(Z'). Then ir c U {C(Z), Adv d l £™ } 
and tt c U {Z' , Adv c J®m m y} are perfectly indistinguishable. Since Adv c J®m my arid Z' are classical and 
Adv c d l ^mmy ls polynomial-time, there exists a classical probabilistic-polynomial-time simulator Sim 
(whose construction is independent of Z') such that ti c U {Z' , Adv^mmy} anc ^ P° ^ {^' ; Sim} are 
indistinguishable. 

Then p c U {JE^Sim} and p c U {C(^),Sim} are perfectly indistinguishable by construction of 
Z' . And since both p c and Sim measure all messages they send and receive, p c U {C(Z), Sim} and 
p c U {Z, Sim} are perfectly indistinguishable. 

Summarizing, we have that ir c U {Z, Adv dummy} and p U {Z, Sim} are indistinguishable for all 
quantum-polynomial-time environments Z. Furthermore, Sim is classical probabilistic-polynomial- 
details also considerably change between different versions of the full version |Can05| . we feel justified in saying that 
the notion of statistical classical UC is essentially the same as that formulated by Canetti. 

9 More precisely, for any set of machines N, the networks Nu{M} and Nu{C(M)} axe perfectly indistinguishable. 
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time and hence quantum-polynomial-time and its construction does not depend on the choice of Z. 
Thus tt statistically quantum-UC-emulates p. □ 



3.1 The computational case 

We now formulate a computational analogue to the quantum lifting theorem (ITheorem 151) from the 
previous section. We cannot, however, expect a theorem of the following form: If tt computationally 
classical-UC-emulates p, then tt computationally quantum-UC-emulates p. For example, if the 
security of tt is based on the hardness of the discrete logarithm, then tt may computationally classical- 
UC-emulate p, but certainly tt does not computationally quantum-UC-emulate p - a quantum- 
polynomial-time adversary can easily compute discrete logarithms using Shor's algorithm |Sho94j . 
Thus, in order to get a computational quantum lifting theorem, we need to give the adversary in 
the classical setting the same computational power as in the quantum setting. Classical machines 
that are as powerful as quantum-polynomial-time machines, we call QPPT machines. 

Definition 16 (Quantum-strong PPT) A classical machine M is said to be QPPT (quantum- 
strong probabilistic polynomial-time) if there is a quantum-polynomial-time machine M such that 
for any network N , N U {M} and N U {M} are perfectly indistinguishable (short: M and M are 
perfectly indistinguishable). 

Definition 17 (QPPT classical UC security) Let protocols tt and p be given. We say tt QPPT 

classical-UC-emulates p iff for every set C C parties^ and for every QPPT adversary Adv there 
is a QPPT simulator Sim such that for every QPPT environment Z, the networks tt c U {Adv, Z} 
and p c U {Sim, Z} are indistinguishable. 

Theorem 18 (Quantum lifting theorem — computational) Let tt and p be classical protocols. 
Assume that tt QPPT classical-UC-emulates p. Then tt computationally quantum-UC-emulates p. 

Proof. We define C(M) and Adv^mmy 

as in the proof of ITheorem 151 

By ILemma 121 we only need to show that for any set C of corrupted parties, there exists a 
quantum polynomial-time machine Sim such that for every quantum-polynomial-time machine Z 
the real model tt c U {Z, Adv dummy} an d the ideal model p c U {Z, Sim} are indistinguishable. 

The protocol tt is classical, so is tt c is classical, and thus all messages forwarded by Advdummy 
from tt c to Z have been measured in the computational basis by tt c , and all messages forwarded 
by Advdummy from Z to 7r will be measured by tt c before being used. Thus, if Adv would addi- 
tionally measure all messages it forwards in the computational basis, the view of Z would not be 
modified. More formally, tt c U {Z, Adv dummy} and tt c U {Z, Adv c J^ my } are perfectly indistinguish- 
able. Furthermore, since both tt c and Adv c J^ my measure all messages upon sending and receiving, 
tt c U {Z, Adv c J^ my } and tt c U {C(Z), Adv c J^ my } are indistinguishable. By definition of QPPT ma- 
chines, and since C(Z) is quantum-polynomial-time, there is a QPPT machine Z' that is perfectly 
indistinguishable from C(Z). Then tt c U {C(Z), Adv^f } and tt c U {Z', Adv^f } are perfectly 



indistinguishable. Since Adv c J^ and Z' are QPPT machines, there exists a QPPT simulator 
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dummy 

Sim' (whose construction is independent of Z') such that tt c U {Z',Adv d l ^ my } and p c U {Z' , Sim'} 
are indistinguishable. 

Then p c L){Z', Sim'} and p c L){C(Z), Sim'} are perfectly indistinguishable by construction of Z' . 
And since both p and Sim' measure all message they send and receive, p c U {C(Z), Sim'} and p c U 
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{Z, Sim'} are perfectly indistinguishable. Since Sim' is a QPPT machine, by definition there exists 
a quantum-polynomial-time machine Sim such that Sim and Sim' are perfectly indistinguishable. 
Then p c U {Z, Sim'} and p U {Z, Sim} are perfectly indistinguishable. 

Summarizing, we have that ir c U {Z, Adv dummy} and p c U {Z, Sim} are perfectly indistinguish- 
able for all quantum-polynomial-time environments Z. Furthermore, Sim is quantum-polynomial- 
time and its construction does not depend on the choice of Z. Thus tt computationally quantum- 
UC-emulates p. □ 

A word of caution: While the statistical quantum lifting theorem (ITheorem 15j) can be directly 
applied to existing statistically UC-secure protocols, the computational variant of this theorem 
cannot be directly applied to existing proofs. Although proving that a classical protocol is QPPT 
classical UC-secure is probably simpler than directly performing the proof in the quantum setting, 
at various places in a proof of QPPT classical UC-security one has to prove that the machines one 
constructed from the adversary /environment are QPPT. (This needs to be done whenever a proof 
step is done by reduction, and when showing that the final simulator is QPPT). As long as the 
constructed machines simulate the original adversary as a black-box without rewinding, this will 
be straightforward. However, when the constructed machine internally rewinds a QPPT machine, 
showing that the constructed machine is also QPPT will be non-trivial. Thus, to apply [Theorem 18l 
to an existing protocol, we need to carefully revisit the original proof, and we need to be aware of 
the fact that the closure properties of the class of QPPT machines are not the same as those of the 
class of PPT machines. 

In this context, we formulate the following open problem: Can we formulate the class of all 
QPPT machines as the class of all probabilistic-polynomial-time machines relative to a suitable 
oracle? More precisely, is the following conjecture true? 

Conjecture 19 There exists an oracle O (e.g., the decision oracle of a BQP-complete problem) 
such that a classical machine M is QPPT if and only if there exists an oracle machine M° which 
runs in probabilistic-polynomial-time and which is perfectly indistinguishable from M . 

A positive answer to this question would allow rewinding of QPPT machines (since an oracle 
machine M° can be rewound). However, the impact of such a positive answer would not be limited 
to our setting; we expect that it would also allow a simple analysis of classical protocols in the 
quantum stand-alone model, and of classical zero-knowledge proofs in the quantum setting. 

4 Relation to the stand-alone model 

In this section, we show that security in the quantum stand-alone model does, in some cases, already 
imply quantum-UC-security. We will need this result as a tool for reusing parts of the proof given 
by Damgard et al. [DFL + 09a] for their OT protocol. We first review the necessary parts of the 
stand-alone model as defined by Fehr and Schaffner [FS09J. For details, see their paper. 

The basic idea behind the stand-alone model is similar to that of the UC model. We are given 
a protocol tt and a functionality J 7 , and we call the protocol tt secure if any attack on tt can be 
simulated in an ideal model where the simulator only has access to the functionality We 
will only need the special case of a two-party protocol in which Alice does not take any input. In 

10 In the stand-alone model, one usually call this functionality a function because it is required to be non-interactive, 
first taking inputs from all parties, and then sending the computed outputs to all parties. 



20 



z_ ^ 

TT 

Adv** A 




?' 



Z'J. 




(Real) 



(Real') 



(Real") 



Z_ ^ 

\Z' — »• d\- 

tt 

Sim**.? 7 



(Ideal) 




(Ideal') 




i , S 

Adv 1— Sim* 



Sim' 



(Ideal") 



Figure 3: Networks occurring in the proof of ITheorem 2Q[ Dashed boxes represent machines that 
internally simulate other machines. Arrows between machines represent communication, and arrows 
leaving the network represent the overall output of the network (indistinguishability is defined in 
terms of that output). Dummy-parties and corruption parties are omitted for simplicity. 



this case, we say that the protocol it implements J- in the statistical quantum stand-alone model 
for corrupted Bob if the following holds: For any adversary Adv, there is a simulator Sim such 
that such that for any quantum state p a dv, the trace distance between the states p rea i and pueai 
is negligible. Here, the state p rea i is defined to be the joint state consisting of the output of Alice 
and of the adversary after a protocol execution in which the adversary gets p a d v as his initial input. 
The state Pideal is defined to be the joint state consisting of the output of Alice and of the simulator 
after an execution in which the simulator first gets p a ^ v as his initial input, then may give arbitrary 
inputs to T in the name of Bob, then gets the outputs for Bob from T , and then produces his 
output. 

Theorem 20 Fix a protocol ir with parties Alice and Bob (not using any ideal functionality). As- 
sume that in this protocol Alice takes no input, and that Alice does not accept messages after sending 
her output. 

Assume that the protocol ir implements a two-party functionality T in the statistical quantum 
stand-alone model for corrupted Bob. 

Assume that the corresponding simulator is quantum-polynomial-time, that the simulator inter- 
nally simulates the adversary as a black-box (and in particular, the description of the simulator 
does not otherwise depend on the adversary), that the simulator does not rewind the adversary, and 
that the simulator outputs the state output by the internally simulated adversary. 

Then it statistically quantum- UC- emulates T in the case of corrupted Bob. 

Proof. Fix an environment Z. Bv lLemma 121 we have to construct a simulator Sim such that the 
probability that Z outputs 1 in the real and ideal model is negligibly close. (This simulator needs 
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to be independent of the choice of Z.) Here, the real model Real consists of the environment Z, 
the dummy-adversary Adv := Adv dummy > the honest party A (Alice), and the corruption party B . 
The ideal model Ideal consists of the environment Z, the simulator Sim, the functionality the 
dummy-party A, and the corruption party B . 

Alice does not accept any messages after sending her output, so we can assume without loss of 
generality that Z does not send any messages to Alice after receiving her output. Since Adv is the 
dummy-adversary, we can assume that Z also does not send any messages to Adv after receiving 
Alice's output (since these messages would be routed through Adv through B c and then to Alice 
and ignored). Thus, we can assume without loss of generality that after receiving Alice's output, 
Z does not send any messages, but performs a measurement D on its state and Alice's output with 
some outcome d £ {0, 1}. Then Z terminates with output d. Thus we can represent Z as consisting 
internally of two machines Z' and D. The machine D gets the outputs of Z' and Alice and outputs 
d. This situation is depicted in Figure 3, network Real. 



We then define a network Real' which contains Z' instead of Z. See Figure 3 Let p{Real! 



denote the joint output of Z' and Alice. Note that this output is not a single bit (as in IDefinition 3j) 
but a quantum state. Note that when applying the measurement D to p(Real'), the distribution of 
the measurement outcome is the distribution of the output of Z' in Real. 

We then define a network Real" which results from Real' by replacing Z' and Adv by a single 
machine Z^dv which internally simulates Z' and Adv. See Figure 3. Then p(Real') = p(Real"). 

Now, since 7r implements J~ in the statistical quantum stand-alone model, and since Z' Ad ^ is a 
valid adversary in the quantum stand-alone model (it only interacts with the honest parties, but 
does not provide inputs or get the outputs), we have that there is a simulator Sim' such that the 
trace distance between p(Real") and p(Ideal") is negligible. Here Ideal" is the network consisting 
of Sim' and T. 

By assumption, the simulator Sim' internally simulates Z' Adv as a black box and outputs what 
the simulated Z' Adv outputs. Hence we can represent Sim' as internally consisting of some two 
machines: the adversary Z' Adv , and some machine Sim* that interacts with Z' Adv . The construction 
of Sim* does not depend on Z' Adv , and Sim* is quantum-polynomial-time since Sim' is quantum- 
polynomial-time by assumption. The output of Sim' is that of Z' Adv . Note further that Z' Adv by 
construction also consists of two internally simulated machines Z' and Adv and outputs what Z' 
outputs. So the output of Sim' is that of the internal Z' . See Figure 3, network Ideal" . 

The simulator Sim' internally simulates Z' , Adv, and Sim*. We define Ideal' by replacing Sim' 
in Ideal" by Z' and Sim, where Sim is defined to internally simulate Adv and Sim*. See |Figure 3 
Then p(Ideal") = p(Ideal'). 

Thus the trace distance between p(Real') and p(Ideal') is negligible. Furthermore, when apply- 
ing the measurement D to p(Real'), the distribution of the measurement outcome is the distribution 
of the output of Z in Real. Similarly, when applying the measurement D to p(Ideal') is the distri- 
bution of the output of Z in Ideal. Thus the statistical distance between the output of Z' in Real 
and in Ideal is negligible. Thus Real and Ideal are indistinguishable. 

Furthermore, since Sim consists of Adv and Sim*, it is independent of Z. And since Sim* 
is quantum-polynomial-time, Sim is quantum-polynomial-time if Adv is. Thus ir statistically 
quantum-UC-emulates T in the case of corrupted Bob. □ 
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Parameters: Integers n, m > n, £, a family F of universal hash functions. 
Parties: The sender Alice and the recipient Bob. 
Inputs: Alice gets no input, Bob gets a bit c. 

1. Alice chooses x A € {0, l} m and A € {+, x} m and sends \x A )g A to Bob. 

2. Bob receives the state |^} sent by the sender. Then Bob chooses 6 G {+, x} m and measures 
the qubits of in the bases B . Call the result x B . 

3. For each i, Bob commits to Of and xf using one instance of ^cqm' 1 each. 

4. Alice chooses a set T C {1, . . . , m} of size m — n and sends T to Bob. 

5. Bob opens the commitments of Of and xf for all i £ T. 

6. Alice checks x^ 1 = xf for all i with i 6 T and A = Of. If this test fails, Alice aborts. 

7. Let x A be the n-bit string resulting from removing the bits at positions i € T from x A . Define 
A , x B , and B analogously. 

8. Alice sends A to Bob. 

9. Bob sets I c := {i : A = Of} and h- c ■= {i ■ A + Of}. Then Bob sends (I ,h) to Alice. 

10. Alice chooses So,s% E {0,1}^" and /o, /i € F, output (so,si), and computes nii := s« © 
/iO^I/i) for i = 1,2. Then Alice sends /o, fi, mo, mi to Bob. 

11. Bob outputs s := m c © f c (x B \i c ). 

Figure 4: Protocol vtqrqt f° r randomized oblivious transfer. 



5 Oblivious transfer 



Definition 21 (OT protocols) The protocol 7Tqrot is defined in Figure 4\ Fix a commitment 



scheme com. The protocol tTqrox * s defined like vtqroT; but instead of using the functionality J-qom, 
the commitment scheme com is used. The protocol 7Tqot is defined like vtqroT; with the following 
modifications: Alice takes as input two £(k)-bit strings vo,v\. In Step \10l Alice additionally sends 
to,tx with ti := Si © Vi. Bob outputs s © t c instead of s in Step 

We first analyze vtqrot and will then deduce the security of 7Tqot from that of 7Tqrot- 

We first state the trivial cases (note for the uncorrupted case that we assume secure channels): 

Lemma 22 The protocol 7Tqrot statistically quantum-UC- emulates ^rot^'^ i n the case of no cor- 
rupted parties and in the case of both Alice and Bob being corrupted. 



5.1 Corrupted Alice 

Lemma 23 The protocol vtqrot statistically quantum-UC- emulates J'^qt^ i n ^e case of cor- 
rupted Alice. 



Proof. First, we describe the structure of the real and ideal model in the case that the party A 
(Alice) is corrupted: 

In the real model, we have the environment Z, the adversary Adv, the corruption party A , the 
honest party B (Bob), and the 2m instances of the commitment functionality J-com- The adversary 
controls the corruption party A , so effectively he controls the communication with Bob and the 
inputs of ^com- Bob's input (a choice bit c) is chosen by the environment, and the environment 
also gets Bob's output (a bitstring s S {0, 1} ). See Figure 5[ &). 
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Figure 5: Networks occurring in the proof of ILemma 231 The dashed box represents the machine 
Sim that internally simulates Adv, A c , FFakeCOM and -B. 



In the ideal model, we have the environment Z, the simulator Sim (to be defined below), the 
corruption party A c , the dummy-party B, and the randomized OT functionality Frot- The 
simulator Sim controls the corruption party A c and hence effectively chooses the inputs so,s% 
of Frot0 The input c of Frot is chosen by the dummy-party B and thus effectively by the 
environment Z. The output s := s c of .Frot is given to the dummy-party B and thus effectively 
to the environment Z. See Figure 5| (b) . 



To show ILemma 231 we need to find a simulator Sim such that, for any environment Z, the 
real model and the ideal model are indistinguishable. To do so, we start with the real model, and 
change the machines in the real model step-by-step until we end up with the ideal model containing 
a suitable simulator Sim (which we define below in the description of IGame~6|) . In each step, we 
show that network before and after the step are perfectly indistinguishable. 

Game 1. We replace Fqom by a commitment functionality FFakeCOM in which Bob (the sender) 
can cheat. That is, in the commit phase, FFakeCOM expects a message commit from B (instead 
of (commit, x)), and in the open phase, FFakeCOM expects a message (open, x) (instead of open) 
and then sends (open, x) to Alice. We also change Bob's implementation accordingly, i.e., when 
Bob should commit to a bit b, he stores that bit b and gives it to FFakeCOM when opening the 
commitment. Obviously, this change leads to a perfectly indistinguishable network (since Bob still 
opens the commitment in the same way). 

Game 2. Since Bob uses FFakeCOM instead of FcoM) he does not use the outcomes xf of his 
measurements before Step [5] (for i G T) or Step [11] (for i £ T) of the protocol. Thus, we modify 
Bob so that he performs the measurements with outcomes xf (i £ T) in Step [5] (in particular, after 
learning T) , and the measurements with outcomes xf in Step [TTJ Delaying the measurements leads 
to a perfectly indistinguishable network. 

Game 3. The bits xf with i G I\— c are never used by Bob. Thus we can modify Bob to use 



1 Remember that, if Alice is corrupted, JFrqt behaves like Tot and takes inputs so, si from Alice. 
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the bases Of instead of Of for these bits without changing the output of Z. Furthermore, since 
Of = Of for i E I c , we can modify Bob to also use the bases Of instead of Of when measuring 
xf with i G I c . Summarizing, we modify Bob to use A instead of B , and we get a perfectly 
indistinguishable network. 

Game 4. The bases B are chosen randomly by Bob, and they are only used to compute the sets 
Iq and I\. We change Bob to instead pick as a random partition of {1, ... ,n}. Since this 

leads to the same distribution of (Iq, I\) and since B is not used elsewhere, this leads to a perfectly 
indistinguishable network. 

Game 5. In Step [TT| we change Bob to compute Sj := rrii fi(x B \i l ) for i = 0, 1 and to output 
s := s c . This leads to the same value of s as the original computation s := m c f c (x B \i c ), hence 
the resulting network is perfectly indistinguishable from the previous one. Note that now, Bob only 
uses the choice bit c to pick which of the two values so, s i to output. 

Game 6. We now construct a machine Sim that internally simulates the machines Adv, A c , 
•^FakeCOM) and Bob. We let Sim run with an (external) corruption party A c , and when (the 
simulated) Bob computes sq,s\ in Step [HJ Sim instructs the (external) corruption party A c to 
input so, s\ into Frot (instead of letting Bob output s = s c ). Then Frot will, given input c from 
the dummy-party B, output s c to the dummy-party B. The dummy-party B then forwards s c to 
the environment Z. See |Figure 5f c). The only difference with respect to the previous network 
(besides a regrouping of machines) is that now s c is computed by Frot from so, s±. However, Frot 
computes s c in the same way as Bob would have done. Thus, the resulting network is perfectly 
indistinguishable from the previous one. 

Since the network from lGame 61 ( Figure 5[ c)) is identical to the ideal model ( Figure 5| h)), and 



since the real model is perfectly indistinguishable from the network from IGame 6l we have that the 
real and the ideal network are perfectly indistinguishable. 

Furthermore, Sim is quantum-polynomial-time if Adv is, and the construction of Sim does not 
depend on the choice of the environment Z. Thus the protocol vtqrot statistically quantum-UC- 

"ROT 



emulates F^T^f^ in the case of corrupted Alice. □ 



5.2 Corrupted Bob 

We call a commitment scheme trivially extractable if, given the messages exchanged during the 
commit phase, it is efficiently possible to determine the value to which the commitment will be 
opened. Obviously, this directly contradicts the hiding property of the commitment, so trivially 
extractable commitments are not overly useful. However, we need such commitments as an inter- 
mediate construction in the following proofs. An example of a trivially extractable commitment is 
one which sends the committed message in clear during the commit phase. 

Corollary 24 (Stand-alone quantum OT |DFL+09a] ) Let < a < 1 and < A < \ be 

constants. Assume m = |~n/(l — a)~\ and £ = [Xn\ and that n grows at least linearly in the security 
parameter k. 

Assume that com is a statistically binding, trivially extractable commitment scheme. 
Then Tq^-p implements F R ^P' in the statistical quantum stand-alone model. 

The corresponding simulator is quantum-polynomial-time, internally simulates the adversary as 
a black-box, does not rewind the adversary, and outputs the state output by the internally simulated 
adversary. 
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Note that Damgard et al. |DFL+ 09a prove a slightly different result. First, it only assumes that 



the commitment scheme com is extractable in the so-called common reference string (CRS) model. 
That is, a globally known and trusted string, the CRS, is available to all parties, and it is possible to 
extract the committed value when one is allowed to choose the CRS oneself. A trivially extractable 
commitment can be seen as a special case with a zero- length CRS. Second, it only assumes that the 
scheme is computationally binding, and thus only proves security in the computational quantum 
stand-alone model. If we assume that the commitment is statistically binding instead, the same 
proof shows security in the statistical quantum stand-alone model. Third, they analyze the protocol 
7TqoT' but the proof trivially adapts to ^qrqx- 



Lemma 25 Under the same assumptions on n,m,£ as in Corollary 24, the protocol 7Tqrot statis- 
tically quantum- UC- emulates F^q^'^ in the case of corrupted Bob. 

Proof. Let com be the following encryption scheme: To commit to a message m, the sender sends 
(commit, to), and the recipient always accepts the commitment. To open the commitment, the 
sender sends open, and the recipients accepts and output to. Obviously, this commitment is not 
hiding. However, it is easily seen to be statistically binding and trivially extractable. 

Consider the protocol vtqrot- Here Bob sends the messages (commit, to) and open to the 
commitment functionality, while in the protocol vi"q^q T , Bob sends these messages directly to 
Alice. In other words, the machine Alice in 7Tqrox can ^ e represented as a machine that internally 
simulates the machine Alice from 7tqrot and the ideal functionality Tcom- Thus, as long as Alice 
is honest, 7Tqrot statistically quantum-UC-emulates ^rot in the case of corrupted Bob if and only 
if 7TQR.OT statistically quantum-UC-emulates ^rot in the case of corrupted Bob. 



By Corollary 24 , tTqjJot implements J-qom in the statistical quantum stand-alone model in the 



case of corrupted Bob with a simulator having the special properties listed in Corollary 24. Thus, by 
ITheorem 20| vtq^q T statistically quantum-UC-emulates ^rot in the case of corrupted Bob. Thus 
7Tqrot statistically quantum-UC-emulates .Frot in the case of corrupted Bob. □ 

Theorem 26 Let < a < 1 and < A < \ be constants. Assume to = [n/(l — a)~\ and I = [Xn\ 
and that n grows at least linearly in the security parameter. 

Then the protocol vtqrot statistically quantum-UC-emulates Fuiry^' ■ 

Proof. Immediate from Lemmas [22J, [23l and [25l 

Theorem 27 Let < a < 1 and < A < \ be constants. Assume to = [n/(l — a)] and i = [AnJ 
and that n grows at least linearly in the security parameter. 

Then the protocol vtqot {Definition 21 ) statistically quantum-UC-emulates J~q^ B ^ . 



Proof. Consider the following protocol ttqq T in the .T-ROT-hybrid model. Given inputs vq,vi € 
{0, l}^ fc ) for Alice and a bit c for Bob, Bob invokes Frot with input c. Then Alice gets random 
so, s\ G {0, iy( k \ and Bob gets s = s c . Then Alice sends to, t\ with t\ := v% © Sj to Bob. And Bob 
outputs s t c . It is easy to see that vtq OT statistically classical-UC-emulates Fot- Hence, by the 
quantum lifting theorem ([Theorem 15|) . vtqqt statistically quantum-UC-emulates ^"ot- Note that 
the protocol 7tqot is the protocol resulting from replacing, in vtq OT , calls to Frot by calls to the 
subprotocol 7TQROT- Furthermore, 7Tqrot statistically quantum-UC-emulates Frot by ITheorem 261 
Hence, by the composition theorem ([Theorem 13[) . 7Tqot statistically quantum-UC-emulates ^ot- 
□ 
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6 Multi-party computation 



Theorem 28 Let J 7 be a classical probabilistic-polynomial-time functionality]^ Then there exists 
a protocol ir in the FcOM-hybrid model that statistically quantum-UC- emulates T . (Assuming the 
number of protocol parties does not depend on the security parameter.) 



Proof. Ishai, Prabhakaran, and Sahai [IPS08] prove the existence of a protocol p^ OT in the J-cjt- 
hybrid model that statistically classical-UC-emulates T (assuming a constant number of parties). 
By the quantum lifting theorem (ITheorem 15 j) . p^ OT statistically quantum-UC-emulates T . By 
ITheorem 27\ 7Tqot statistically quantum-UC-emulates Tot- Let it := p^QOT De resu lt of 
replacing invocations to J^ot in by invocations of the subprotocol vtqot (as described in 

ISection 2.3jl . Then by the universal composition theorem ([Theorem 13j) . ir statistically quantum- 
UC-emulates p^ OT . Using the fact that quantum-UC-emulation is transitive (jLemma 10p , it follows 
that ir statistically quantum-UC-emulates T . □ 

We proceed to show that the result from ITheorem 281 is possible only in the quantum setting. 
That is, we show that there is a natural functionality that cannot be statistically classical-UC- 
emulated in the commitment-hybrid model. To show this impossibility result, we first need the 
following lemma. 

Lemma 29 There is no classical two-party protocol (that runs in a polynomial number of rounds) 
in the commitment-hybrid model that has the following properties: 

• Let a £ {0, 1} denote Alice's input, and b G {0, 1} Bob's input. Then Alice's and Bob's output 
is a ■ b with overwhelming probability. 

• The view of Alice in the case (a, b) = (0, 0) is statistically indistinguishable from the view of 
Alice in the case (a,b) = (0,1). 

• The view of Bob in the case (a, b) = (0, 0) is statistically indistinguishable from the view of 
Bob in the case (a,b) = (1,0). 

In all three cases we assume that Alice and Bob honestly follow the protocol (i.e., Alice and Bob are 
honest-but-curious) . The view of a party consists of all messages sent and received by that party 
together with its input and random choices. 



Proof. Assume a protocol ir satisfying the properties from ILemma 291 We assume without loss 
of generality that the last message sent in an execution of ir contains the output of Alice. We 
transform ir into a protocol ir' that does not use commitments. Namely, when Alice would commit 
to a value m, she instead sends committed to Bob, and when she would open that commitment, 
she sends m to Bob. Analogously, we remove Bob's commitments. The resulting protocol ir' still 
satisfies the properties from ILemma 291 since we only consider honest-but-curious parties. 

We use Lemma 33 from |MQU07a|: Let U, U, L, L be interactive machines that send only a 
polynomially-bounded number of messages. Let (U, L) denote the transcript of the communication 

12 Subject to certain technical restrictions stemming from the proof by Ishai et al. |IPS08| : Whenever the function- 
ality gets an input, the adversary is informed about the length of that input. Whenever the functionality makes an 
output, the adversary is informed about the length of that output and may decide when this output is to be scheduled. 



27 



in an interaction of U and L. Assume that (U, L) ~ (U, L) ~ (U, L) where ~ denotes statistical 
indistinguishability. Then (U,L) ~ (U,L). 

Let U be a machine executing Alice's program in it' on input 0, and let U execute Alice's 
program on input 1. Let L and L execute Bob's program on inputs and 1, respectively. Then 
the properties in ILemma 291 guarantee that (U,L) m {U,L} « {U,L}. Hence (U,L) rj (U,L). 
This implies that the communication between Alice and Bob in tt' is indistinguishable in the cases 
a = b = and a = b = 1. This is a contradiction to the fact that in the first case, the last message 
contains the output ab = 0, and in the second case, the last message contains the output ab = 1. 
□ 

Definition 30 (AND) The functionality ^and expects an input a £ {0, 1} from Alice and b € 
{0, 1} from Bob. Then it sends a ■ b to Alice and Bob. 

Theorem 31 (Impossibility of classical multi-party computation) There is no classical 
probabilistic-polynomial-time protocol tt in the J-QOM-hybrid model such that tt statistically classical- 
U C- emulates ^and • 

Proof. The statistical UC-security of tt would imply the properties listed in ILemma 291 Hence by 
ILemma 291 such a protocol tt does not exist. □ 

7 Conclusions 

We have given a definition of quantum-UC-security that provides strong composability guarantees 
for quantum protocols. We have shown that in this model, it is possible to construct statistically 
secure oblivious transfer protocols given only commitments. Furthermore, we showed that a pro- 
tocol which is secure in the statistical classical UC model is also secure in the statistical quantum 
UC model. This simplifies the modular design of quantum protocols and allows us to construct 
UC-secure general multi-party computation protocols given only commitments. 
Directions for future work include: 

• Combine the UC framework and the bounded quantum storage model. In this model, 
Damgard, Fehr, Salvail, and Schaffner [DFSS05J have constructed statistically hiding and 
binding commitment schemes and statistically secure OT protocols. If variants of these pro- 
tocols can be shown secure in the UC framework, this would allow to construct general UC- 
secure multi-party computation protocols, only assuming that the adversary has a certain 
upper bound on his quantum storage. 

• Combine our result with the protocols for long-term classical UC-secure commitments by 
Muller-Quade and Unruh |MQU07b| (see ISection 1.4j) . If their protocols can be shown to 
be secure in the quantum setting, this would enable general long-term secure multi-party 
computation based on practical setup-assumptions (the availability of signature cards). 

• Find efficient constructions. Our protocol invokes a commitment for each qubit sent by Alice. 
In some settings, a commitment can be quite expensive. For example, commitment protocols 
in the bounded quantum storage model have a large quantum communication complexity. In 
this setting, the efficiency of our protocol could be improved considerably if we were able to 
use few string commitments instead of committing to each bit individually. 
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• Find analogues to the quantum lifting theorem in other security models. In the stand-alone 
model, it is an open question whether classically secure protocols are secure in the quantum 
setting, too. Similarly, we do not know whether classically secure zero-knowledge proofs are 
in general secure against quantum adversaries. 

Acknowledgements. I thank Jorn Muller-Quade for the original inspiration for this work and 
Christian Schaffner for valuable discussions. 
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